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Abstract. The classical LTL synthesis problem is purely qualitative: the given LTL specification is re- 
alized or not by a reactive system. LTL is not expressive enough to formalize the correctness of reactive 
systems with respect to some quantitative aspects. This paper extends the qualitative LTL synthesis set- 
ting to a quantitative setting. The alphabet of actions is extended with a weight function ranging over 
the rational numbers. The value of an infinite word is the mean-payoff of the weights of its letters. 
The synthesis problem then amounts to automatically construct (if possible) a reactive system whose 
executions all satisfy a given LTL formula and have mean-payoff values greater than or equal to some 
given threshold. The latter problem is called LTLmp synthesis and the LTLmp realizability problem asks 
to check whether such a system exists. We first show that LTLmp realizability is not more difficult 
than LTL realizability: it is 2ExpTime-Complete. This is done by reduction to two-player mean-payoff 
parity games. While infinite memory strategies are required to realize LTLmp specifications in general, 
we show that e-optimality can be obtained with finite memory strategies, for any e > 0. To obtain 
an efficient algorithm in practice, we define a Safraless procedure to decide whether there exists a 
finite-memory strategy that realizes a given specification for some given threshold. This procedure is 
based on a reduction to two-player energy safety games which are in turn reduced to safety games. Fi- 
nally, we show that those safety games can be solved efficiently by exploiting the structure of their state 
spaces and by using antichains as a symbolic data-structure. All our results extend to multi-dimensional 
weights. We have implemented an antichain-based procedure and we report on some promising exper- 
imental results. 

1 Introduction 

Formal specifications of reactive systems are usually expressed using formalisms like the linear temporal 
logic (LTL), the branching time temporal logic (CTL), or automata formalisms like Biichi automata. Those 
formalisms allow the specifier to express Boolean properties (called qualitative properties in the sequel) in 
the sense that a reactive system either conforms to them, or violates them. Additionally to those qualitative 
formalisms, there is a clear need for another family of formalisms that are able to express quantitative 
properties of reactive systems. Abstractly, a quantitative property can be seen as a function that maps 
an execution of a reactive system to a numerical value. For example, in a client-server application, this 
numerical value could be the mean number of steps that separate the time at which a request has been 
emitted by a client and the time at which this request has been granted by the server along an execution. 
Quantitative properties are concerned with a large variety of aspects like quality of service, bandwidth, 
energy consumption,... But quantities are also useful to compare the merits of alternative solutions, e.g. we 
may prefer a solution in which the quality of service is high and the energy consumption is low. Currently, 
there is a large effort of the research community with the objective to lift the theory of formal verification 
and synthesis from the qualitative world to the richer quantitative world [20] (see related works for more 
details). In this paper, we consider mean-payoff and energy objectives. The alphabet of actions is extended 
with a weight function ranging over the rational numbers. A mean-payoff objective is a set of infinite words 
such that the mean value of the weights of their letters is greater than or equal to a given rational threshold 
1 26 1, while an energy objective is parameterized by a non-negative initial energy level c and contains all 
the words whose finite prefixes have a sum of weights greater than or equal to — cq Q. 

In this paper, we participate to this research effort by providing theoretical complexity results, practical 
algorithmic solutions, and a tool for the automatic synthesis of reactive systems from quantitative speci- 
fications expressed in the linear time temporal logic LTL extended with (multi-dimensional) mean-payoff 
and (multi-dimensional) energy objectives. To illustrate our contributions, let us consider the following 
specification of a controller that should grant exclusive access to a resource to two clients. 



Example 1. A client requests access to the resource by setting to true its request signal (r% for client 1 and 
r2 for client 2), and the server grants those requests by setting to true the respective grant signal g\ or g^. 
We want to synthetize a server that eventually grants any client request, and that only grants one request at 
a time. This can be formalized in LTL where the signals in / = {ri, r-x\ are controlled by the environment 
(the two clients), and the signals in O — {g\ , w\ , g%, w 2 } are controlled by the server: 

01 = □(r i -> X(wiUgi)) 

02 = D(r 2 -> X(w 2 Usi2)) 

03 = v ^52) 
— 01 A 02 A 03 

Intuitively, 0! (resp. 2 ) specifies that any request of client 1 (resp. client 2) must be eventually granted, 
and in-between the waiting signal W\ (resp. w 2 ) must be high. Formula 3 stands for mutual exclusion. 

The formula is realizable. One possible strategy for the server is to alternatively assert w 2 ,gi and 
Wt, 52, i-e. alternatively grant client 1 and client 2. While this strategy is formally correct, as it realizes the 
formula against all possible behaviors of the clients, it may not be the one that we expect. Indeed, we 
may prefer a solution that does not make unsollicited grants for example. Or, we may prefer a solution that 
gives, in case of request by both clients, some priority to client 2's request. In the later case, one elegant 
solution would be to associate a cost equal to 2 when u>2 is true and a cost equal to 1 when W\ is true. This 
clearly will favor solutions that give priority to requests from client 2 over requests from client 1. We will 
develop several other examples in the paper and describe the solutions that we obtain automatically with 
our algorithms. 

Contributions We now detail our contributions and give some hints about the proofs. In Section |2j we 
define the realizability problems for LTLmp (LTL extended with mean-payoff objectives) and LTLe (LTL 
extended with energy objectives), and give some examples. In Section [5] we show that, as for the LTL 
realizability problem, both the LTLmp an d LTLe realizability problems are 2Exp Time-Complete. As the 
proof of those three results follow a similar structure, let us briefly recall how the 2ExpTime upper bound 
of the classical LTL realizability problem is established in E3l . The formula is first turned into an equivalent 
nondeterministic Biichi automaton, which is then transformed into a deterministic parity automaton using 
Safra's construction. The latter automaton can be seen as a two-player parity game in which Player 1 wins 
if and only if the formula is realizable. For the LTLmp realizability problem, our construction follows the 
same structure, except that we go to a two-player parity game with an additional mean-payoff objective, and 
for the LTLe realizability problem, we need to consider a parity game with an additional energy objective. 
By a careful analysis of the complexity of all the steps involved in those two constructions, we build, on 
the basis of results in lfT2l and fl4l . solutions that provide the announced 2ExpTime upper bound. 

It is known that winning mean-payoff parity games may require infinite memory strategies, but there 
exist e-optimal finite-memory strategies [14|. In contrast, for energy parity games, it is known that finite- 
memory optimal strategies exist [12|. In Section [5] we show that those results transfer to LTLmp (resp. 
LTLe) realizability problems thanks to the reduction of these problems to mean-payoff (resp. energy) parity 
games. Furthermore, we show that under finite-memory strategies, LTLmp realizability is in fact equivalent 
to LTLe realizability: a specification is M P-realizable under finite-memory strategies if and only if it is 
E-realizable, by simply shifting the weights of the signals by the threshold value. Because finite-memory 
strategies are more interesting in practice, we thus concentrate on the LTLe realizability problem in rest of 
the paper. 

Safra's construction has so far resisted all the practical attempts to implement it efficiently, see for 
example [1]. We develop in Section |4j following E2l . a Safraless procedure for the LTLe realizability 
problem, that is based on a reduction to a safety game, with the nice property to transform a quantitative 
objective into a simple qualitative objective. The main building blocks of this procedure are as follows. (1) 
Instead of transforming an LTL formula into a deterministic parity automaton, we prefer to use a universal 
co-Biichi automaton as proposed in El . To deal with the energy objectives, we thus transform the formula 
into a universal co-Biichi energy automaton for some initial credit cq, which requires that all runs on an 
input word w visit finitely many accepting states and the energy level of w is always positive starting from 
the initial energy level c . (2) By strenghtening the co-Biichi condition into a if-co-Buchi condition (as 



done in [24 18 1), where at most K accepting states can be visited by each run, we then go to an energy 
safety game. We show that for sufficiently large value K and initial credit cq, this reduction is complete. (3) 
Any energy safety game is equivalent to a safety game, as shown in |9l . 

Finally, in Section|5] we discuss some implementation issues. The proposed Safraless construction has 
two main advantages. Firstly, the search for winning strategies for LTI_e realizability can be incremental on 
K and c (avoiding in practice to consider the large theoretical bounds K and C that ensure completeness). 
Secondly, the state space of the safety game can be partially ordered and solved by a backward fixpoint 
algorithm. Since the latter manipulates sets of states closed for this order, it can be made efficient and 
symbolic by working only on the antichain of their maximal elements. As described in Section |6j our 
results can be extended to the multi-dimensional case, i.e. tuples of weights. All the algorithms have been 
implemented in our tool Acacia+ (4), and promising experimental results are reported in Section|7] 

Related works The LTL synthesis problem has been first solved in |23|, Safraless approaches have been 
proposed in B21I22I24I18I . and implemented in prototypes of tools H21 117116141 . All those works only treat 
plain qualitative LTL, and not the quantitative extensions considered in this article. 

Mean-payoff games [26 1 and energy games [7 9], extensions with parity conditions [ 14 12 8], or multi- 
dimensions M13I15II have recently received a large attention from the research community. The use of such 
game formalisms has been advocated in [3] for specifying quantitative properties of reactive systems. Sev- 
eral among the motivations developed in [ 3 1 are similar that our motivations for considering quantitative 
extensions of LTL. All these related works make the assumption that the game graph is given explicitly 
(and not implicitly using an LTL formula), as in our case. 

In 0, Boker et al. introduce extensions of linear and branching time temporal logics with operators 
to express constraints on values accumulated along the paths of a weighted Kripke structure. One of their 
extensions is similar to LTLmp- However the authors of [5| only study the complexity of model-checking 
problems whereas we consider realizability and synthesis problems. 

2 Problem statement 
2.1 Preliminaries 

Linear temporal logic - The formulas of linear temporal logic (LTL) are defined over a finite set P of 
atomic propositions. The syntax is given by the grammar: 

<j) ::= p\<p\J (t>U(f> peP 

The notations true, false, <j>\ A 02, ()</> and □<£ are defined as usual. LTL formulas <f> are interpreted on 
infinite words u = oo <T i cr 2 ■ ■ • G (2 P ) UJ via a satisfaction relation u \= <fi inductively defined as: 

U |= p if p G (To 

u \= (pi V fa if u \= <pi or u |= 4>2 

u t= -^4> if u y= 4> 

U \= X(f) if 01(72 . . . |=0 

u \= 0iU02 if 3n > • a n a n +i ■ ■■ \= 4>2 and Vi,0 <i<n - OiOi+\ ... \= 4>i- 
Given an LTL formula 0, we denote by [0] the set of words u such that u |= <fi. 

LTL Realizability and synthesis - The realizability problem for LTL is best seen as a game between two 
players. Let cf> be an LTL formula over the set P = I\±)0 partitioned into / the set of input signals controlled 
by Player I (the environment), and O the set of output signals controlled by Player O (the controller). With 
this partition of P, we associate the three following alphabets: Sp — 2 P , Up — 2°, and Sj = 2 1 . 

The realizability game is played in turns. Player O starts by giving oqESq^ Player / responds by giving 
iqGEi, then Player O gives oiGSo and Player / responds by iiGSj, and so on. This game lasts forever 
and the outcome of the game is the infinite word (oq U io)(o± U ii)(o2 U i^j ■ ■ ■ £ Sp. 

The players play according to strategies. A strategy for Player O is a mapping Ao : (So^i)* ~> 
while a strategy for Player / is a mapping A/ : (So Si)* So Sj. The outcome of the strategies Ao and 
A/ is the word Outcome(Ao, Aj) = (o U io)(°i U ii) . . . such that o = Ao(e), io = Aj(oq) and for all 



k > 1, o k = A o (o i • • ■ Ok-iik-i) and i k = A/(o i • • ■ o k ~iik-iOk)- We denote by 0utcome(A o ) the 
set of all outcomes Outcome(Ao, Aj) with Aj any strategy of Player 7. We let 77o (resp. 77/) be the set of 
strategies for Player O (resp. Player 7). 

Given an LTL formula <fr (the specification), the LTL realizability problem is to decide whether there 
exists a strategy Aq of Player O such that Outcome(Ao, A/) |= <j> against all strategies Aj of Player I. If 
such a winning strategy exists, we say that the specification <fi is realizable. The LTL synthesis problem asks 
to produce a strategy Ao that realizes <fi, when it is realizable. 

Moore machines - It is known that the LTL realizability problem is 2ExpTime-Complete and that finite- 
memory strategies suffice in case of realizability [23 1. A strategy Ao of Player O is finite-memory if there 
exists a right-congruence ~ on (Eo^i)* of finite index such that Xo(u) — Xo(u') for all u ~ u' . It is 
equivalent to say that it can be described by a Moore machine A4 — (M, mo, au, o/v) defined as follows. 
The non-empty set M is the finite memoiyPlof M. and too is its initial memory state. The memory update 
function ajj : M X Si —¥ M modifies the current memory state at each i E Sj emitted by Player I, 
and the next-move function chjv : M — > So indicates which o £ Sq is proposed by Player O given 
the current memory state. The function ajj is naturally extended to words u € Sj. The language of M., 
denoted by L(M), is the set of words u = (oo U io)(oi U ii) ■ ■ ■ € i^p such that oq = a^(mo) and for 
all k > 1, Ofe = ajv(aE/( m 0i *o • ■ ■ The size |A4| of a Moore machine is defined as the size \M\ of 

its memory. Therefore, with these notations, an LTL formula is realizable iff there exists a Moore machine 
such that L{M) C [</>]. 

Theorem 1 (|23|). The LTL realizability problem is 2ExpTime-Complete and any realizable LTL formula 
is realizable by a finite-memory strategy. 

2.2 Synthesis with mean-payoff objectives 

LTLmp realizability and synthesis - Consider a finite set P partitioned as 7 W O. Let Lit(P) be the set 
{p | p € T 3 } U {^p | p € P} of literals over P, and let w : Lit(P) — > Z be a weight function where positive 
numbers represent reward^] This function is extended to Sj (resp. ZJq) as follows: w(i) — S pei w{p) + 
£ peI \{i}w(^p) for i G 17/ (resp. w(o) = S peo w(p) + £ pe0 \{ yw(-ip) for o e i7 ). In this way, it can 
also be extended to Up as w(oU i) — w(o) +w(i) for all o G i7o and i G i7/|^]ln the sequel, we denote by 
(P, w) the pair given by the finite set P and the weight function w over Lit(P); we also use the weighted 
alphabet (Up, w). 

Consider an LTL formula <f> over (P, w) and an outcome u — (oq U «o)(°i U *i) * * " € X'p produced 
by Players 7 and O. We associate a va/Me Val(w) with m that captures the two objectives of Player O of 
both satisfying <fr and achieving a mean-payoff objective. For each n > 0, let u(n) be the prefix of u of 
length n. We define the energy level of it(ro) as EL(u(n)) = XX=o ^(^fc) + w (*fe)- We then assign to u a 
mean-payoff value equal to MP(u) = lim inf n ^.oo -EL(u(n)). Finally we define the value of u as: 



Given an LTL formula tfi over (P, w) and a threshold v € Q, the LTLmp realizability problem ( resp. 
LTLmp realizability problem under finite memory) asks to decide whether there exists a strategy (resp. 
finite-memory strategy) Ao of Player O such that Val(Outcome(Ao, A/)) > v against all strategies A/ of 
Player 7, in which we say that <f> is MP -realizable (resp. MP -realizable under finite memory) . The LTLmp 
synthesis problem is to produce such a winning strategy Ao for Player O. Therefore the aim is to achieve 
two objectives: (i) realizing </>, (ii) having a long-run average reward greater than the given threshold. 

1 The memory M is the set of equivalence classes for ~. 

2 We use weights at several places of this paper. In some statements and proofs, we take the freedom to use rational 
weights as it is equivalent up to rescaling. However we always assume that weights are integers encoded in binary 
for complexity results. 

3 The decomposition of w(o U z) as the sum w(o) + w(i) emphasizes the partition of P as I t±J O and will be useful 
in some proofs. 




Optimality - Given <f> an LTL formula over (P, w), the optimal value (for Player O) is defined as 

v$ = sup inf Val(Outcome(Ao, A/)). 

For a real-valued e > 0, a strategy Ao of Player O is e-optimal if Val(Outcome(Ao, A/)) > v^ — e against 
all strategies Aj of Player /. It is optimal if it is e-optimal with e = 0. Notice that ^ is equal to — oo if 
Player O cannot realize tp. 

Example 2. Let us come back to Example [T]of a client-server system with two clients sharing a resource. 
The specification have been formalized by an LTL formula tfi over the alphabet P = I l±l O, with / = 
{ri, r2}, O = {gi,wi, g2,W2}- Suppose that we want to add the following constraints: client 2's requests 
take the priority over client l's requests, but client l's should still be eventually granted. Moreover, we 
would like to keep minimal the delay between requests and grants. This latter requirement has more the 
flavor of an optimality criterion and is best modeled using a weight function and a mean-payoff objective. 
To this end, we impose penalties to the waiting signals wi , W2 controlled by Player O, with a larger penalty 
to W2 than to w\. We thus use the following weight function w : Lit(P) — > Z: 

f-lif I = w 1 
-2 if I = w 2 
otherwise. 

One optimal strategy for the server is to behave as follows: it almost always grants the resource to 
client 2 immediately after r 2 is set to true by client 2, and with a decreasing frequency grants request T\ 
emitted by client 1. Such a server ensures a mean-payoff value equal to —1 against the most demanding 
behavior of the clients (where they are constantly requesting the shared resource). Such a strategy requires 
the server to use an infinite memory as it has to grant client 1 with an infinitely decreasing frequency. Note 
that a server that would grant client 1 in such a way without the presence of requests by client 1 would still 
be optimal. 

It is easy to see that no finite memory server can be optimal. Indeed, if we allow the server to count 
only up to a fixed positive integer k € N then the best that this server can do is as follows: grant immediatly 
any request by client 2 if the last ungranted request of client 1 has been emitted less than k steps in the past, 
otherwise grant the request of client 1. The mean-payoff value of this solution, in the worst-case (when the 
two clients always emit their respective request) is equal to — (1 + \ ). So, even if finite memory cannot be 
optimal in this example, it is the case that given any e > 0, we can devise a finite-memory strategy that is 
e-optimal. 

LTLe realizability and synthesis - For the proofs of this paper, we also need to consider realizability and 
synthesis with energy objectives (instead of mean-payoff objectives). With the same notations as before, the 
LTLe realizability problem is to decide whether <\> is E-realizable, that is, whether there exists a strategy Ao 
of Player O and an integer Cq £ N such that for all strategies Xj of Player /, (i)u = Outcome(Ao, A/) |= <fi, 
(ii) Vn > • Co + EL(u(n)) > 0. Instead of requiring that MP(u) > v for some given theshold v as a 
second objective, we thus ask if there exists an initial credit Co such that the energy level of each prefix 
u(n) remains positive. When cf> is E-realizable, the LTLe synthesis problem is to produce such a winning 
strategy Ao for Player O. Finally, we define the minimum initial credit as the least value of initial credit for 
which cf> is E-realizable. A strategy Ao is optimal if it is winning for the minimum initial credit. 

3 Computational complexity of the LTL M p realizability problem 

In this section, we solve the LTLmp realizability problem, and we establish its complexity. Our solution 
relies on a reduction to a mean-payoff parity game. The same result also holds for the LTLe realizability 
problem. 

Theorem 2. The LTLmp realizability problem is 2ExpTime-Complete. 

Before proving this result, we recall useful notions on parity automata and on game graphs. 



3.1 Deterministic parity automata 



A deterministic parity automaton over a finite alphabet S is a tuple A — (£, Q, qo, S, p) where Q is a finite 
set of states with go the initial state, 6 : Q x S —> Q is a transition function that assigns a unique statePjto 
each given state and symbol, and p : Q —> N is a priority function that assigns a priority to each state. 

For infinite words u = cro cr i ■ • • G S u , there exists a unique run p(u) = poPi ■ • • € such that 
po = <Zo an d Vfc > • Pk+i — S(pk, (Tfe). We denote by Inf (p(u)) the set of states that appear infinitely 
often in p(u). The language L(A) is the set of words u 6 J7 aj such that min{p(g) | g € Inf (p(u))} is even. 
We have the next theorem (see for instance El ). 

Theorem 3. Let <f> be an LTL formula over P. One can construct a deterministic parity automaton As 
such that L(As) = [</>]. If 4> has size n, then As has 2 2 ( s ' states and 2°^ priorities. 

3.2 Game graphs 

A game graph G = (S, So, E) consists of a finite set S of states partitioned into Si the states of Player 1, 
and 52 the states of Player 2 (that is S = S\ tfcl S%), an initial state sq, and a set £7 C 5 x S of edges such 
that for all s E S, there exists a state s' E S such that (s, s') E E. A game on G starts from the initial 
state so an d is played in rounds as follows. If the game is in a state belonging to Si, then Player 1 chooses 
the successor state among the set of outgoing edges; otherwise Player 2 chooses the successor state. Such 
a game results in a play that is an infinite path p = soSi . . . s n . . . , whose prefix s si . . . s n of lengthen of 
is denoted by p(n). We denote by Plays(G) the set of all plays in G and by Pref (G) the set of all prefixes 
of plays in G. A turn-based game is a game graph G such that E C (Si x S2) U (S2 x Si), meaning that 
each game is played in rounds alternatively by Player 1 and Player 2. 

Objectives - An objective for G is a set f2 C S u . Let p : S — > N be a priority function and w : £7 — > Z be 
a weight function where positive weights represent rewards. The energy level of a prefix 7 = soSi . . . s n 
of a play is E.Lq{^) = ~Y^ = ^ w(si, Sj+i), and the mean-payoff value of a play p = SoSi . . . s n . . . is 
MPg(p) = limmf„_ ! . 00 i • EL(3(p(n))r| Given a play p, we denote lnf(p) the set of states s E S that 
appear infinitely often in p. The following objectives Q are considered in the sequel: 

- Safety objective. Given a set a C S, the safety objective is defined as Safety G (a) = Plays(G) n a u . 

- Parity objective. The parity objective is defined as Parity G (p) = {p E Plays(G) | min{p(s) | s E 
lnf( j o)} is even}. 

- Energy objective. Given an initial credit c E N, the energy objective is defined as PosEnergy G (co) = 
{p E Plays(G) I Vn > : c + EL G (p(n)) > 0}. 

- Mean-payoff objective. Given a threshold v E Q, the mean-payoff objective is defined as Mean Payoff G (v) 
= {p E Plays(G) I MP G (p) > v}. 

- Combined objective. The energy safety objective PosEnergy G (co) l~l Safety G (a) (resp. energy parity 
objective PosEnergy G (co) fl Parity G (p), mean-payoff parity objective MeanPayoff G (i/) n Parity G (p)) 
combines the requirements of energy and safety (resp. energy and parity, energy and mean-payoff) 
objectives. 

When an objective f2 is imposed on a game G, we say that G is an fl game. For instance, if Q is an 
energy safety objective, we say that G is an energy safety game, aso. 



4 In this definition, a deterministic parity automaton is also complete 
s The length is counted as the number of edges. 

6 Notation EL, MP and Outcome is here used with the index G to avoid any confusion with the same notation 
introduced in the previous section. 



Strategies - Given a game graph G, a strategy for Player 1 is a function Ai : S*S± — > S such that 
(s, Ai(7 ■ s)) G E for all 7 e S' and s £ S\. A play p = sosi . . . s n . . . starting from the initial state 
so is compatible with Ai if for all k > such that s k G Si we have Sfc+i = Xi(p(k)). Strategies and 
play compatibility are defined symmetrically for Player 2. The set of strategies of Player 1 (resp. Player 2) 
is denoted by (resp. 77 2 ). We denote by Outcome^A^ A 2 ) the play from q , called outcome, that is 
compatible with Ai and A 2 . The set of all outcomes Outcome<3(Ai, A 2 ), with A 2 any strategy of Player 2, is 
denoted by OutcomeG(Ai). A strategy Ai for Player 1 is winning for an objective i? if Outcomec(Ai) C 
fl. We also say that Ai is winning in the fi game G. 

A strategy Ai of Player 1 is finite-memory if there exists a right-congruence ~ on Pref(G) with finite 
index such that Ai(7 ■ Si) = Ai(7' ■ s%) for all 7^7' and si G Si. The size of the memory is equal to the 
number of equivalence classes of ~, We say that Ai is memoryless if ~ has only one equivalence class. In 
other words, Ai is a mapping Si — > S that only depends on the current state. 

Energy safety games - Let us consider a safety game (G,a) with the safety objective Safety (3(a), or 
equivalently, with the objective to avoid S \ a. The next classical fixpoint algorithm allows one to check 
whether Player 1 has a winning strategy (see 1T91 for example). We define the fixpoint Wini (a) of the 
sequence W = a, W k +i = W k D{{s G Si | 3(s,s') £ E-s' G W k }U{s £ S 2 | V(s,s') G E-s' £ W k }} 
for all fe > 0. It is well-known that Player 1 has a winning strategy Ai in the safety game (G, a) iff 
s £ Win 1(a), and that the set Win 1 (a) can be computed in polynomial time. Moreover, the subgraph G' of 
G induced by Wini (a) is again a game graph (i.e. every state has an outgoing edge), and if sq £ Wini (a), 
then Ai can be chosen as a memoryless strategy Si — > S such that (s, Ai(s)) is an edge in G' for all 
s £ Wini (a) (Player 1 forces to stay in G'). With this induced subgraph, we have the next reduction of 
energy safety games to energy games. 

Proposition 4 Let (G, w, a) be an energy safety game. Let (G' , w') be the energy game such that G' is the 
subgraph of G induced by Wini (a) and w' is the restriction of w to its edges. Then the winning strategies 
of Player 1 in (G' , w') are the winning strategies in (G, w, a) that are restricted to the states of Wini (a). 

□ 

For an energy game (G, w) (resp. energy safety game (G, w, a)), the initial credit problem asks whether 
there exist an initial credit cq £ N and a winning strategy for Player 1 for the objective PosEnergy G (co) 
(resp. PosEnergy G (co) n Safety (a)). It is known that for energy games, this problem can be solved in 
NP n coNP, and memoryless strategies suffice to witness the existence of winning strategies for Player 1 
1711 1 1. Moreover, if we store in the states of the game the current energy level up to some bound C > 0, 
one gets a safety game (whose safe states are those states with a positive energy level). For a sufficiently 
large bound G, this safety game is equivalent to the initial energy game [9]. Intuitively, the states of this 
safety game are pairs (s, c) with s a state of G and c an energy level in C = {_L, 0, 1, . . . G} (with _L < 0). 
When adding a positive (resp. negative) weight to an energy level, we bound the sum to G (resp. J_ = — 1). 
The safety objective is to avoid states of the form (s, _L). Formally, given (G,w) an energy game with 
G = (S, Sq, E), we define the safety game (Gc, a) with a graph Gc — (S' , s' ,E') and a safety objective 
a as follows: 

- S' = {(s,c) \ s£S,c£C} 

- s' — (s , G) 

- (0, c), (s', c')) £ E' if e = (s, s') £ E and c ® w(e) = c! 

- a — {(s, c) I s £ S, c 7^ _L} 

In this definition, we use the operator : C x Z — > C such that c k = min(G, c + k) if {c 7^ _L and 
c + k > 0}, and _L otherwise. 

By Proposition |4] it follows that energy safety games can be reduced to safety games. 

Theorem 5. Let (G, w, a) be an energy safety game. Then one can construct a safety game (G', a') such 
that Player 1 has a winning strategy in (G, w, a) iff he has a winning strategy in (G', a'). □ 



Energy parity games and mean-payoff parity games - Given an energy parity game (G, w, p), we can also 
formulate the initial credit problem as done previously for energy games. 



Theorem 6 (|12|). The initial credit problem for a given energy parity game (G, w,p) can be solved in 
time 0(\E\ ■ d ■ \S\ d+3 ■ W) where \E\ is the number of edges of G, d is the number of priorities used 
by p and W is the largest weight (in absolute value) used by w. Moreover if Player 1 wins, then he has a 
finite-memory winning strategy with a memory size bounded by 4 • \S\ ■ d ■ W. 

Let us turn to mean-payoff parity games (G, w,p). With each play p <= Plays(G), we associate a value 
Va\c{p) defined as follows (as done in the context of LTI_mp realizability): 



For a real-valued e > 0, a strategy Ai for Player 1 is e-optimal if Vale (Outcomes (Ai, A2)) > vg — e 
against all strategies A2 of Player 2. It is optimal if it is e-optimal with e = 0. If Player 1 cannot achieve 
the parity objective, then vq = —00, otherwise optimal strategies exist |[T4l and vq is the largest threshold 
v for which Player 1 can hope to achieve MeanPayoff G (V). 

Theorem 7 (| 14. 8. 15 1). The optimal value of a mean-payoff parity game (G,w,p) can be computed in 
time 0(\E\ ■ \S\ d+2 ■ W). When vq 7^ —00, optimal strategies for Player 1 may require infinite memory; 
however for all e > Player 1 has a finite -memory e-optimal strategy. 

3.3 Reduction to a mean-payoff parity game 

Solution to the LTI_mp realizability problem - We can now proceed to the proof of Theorem|2] It is based 
on the following proposition. 

Proposition 8 Let cj> be an LTL formula over (P, wp). Then one can construct a mean-payoff parity game 
(G<f,,W,p) with 2 2 ( E ' states and 2°^™' priorities such that the following are equivalent: for each 
threshold v € Q 

1. there exists a (finite-memory) strategy Xo of Player O such that Val(Outcome(Ao, A/)) > V against 
all strategies A/ of Player I; 

2. there exists a (finite-memory) strategy \\ of Player 1 such that Valfj^ (Outcome^ (Ai, A2)) > v 
against all strategies A2 of Player 2, in the game (G^, w,p). 

Moreover, if Ai is a finite -memory strategy with size m, then Xq can be chosen as a finite-memory strategy 
with size m ■ \S\ \ where Si is the set of states of Player 1 in G^,|^] 

Proof. Let cj> be an LTL formula over P = / W O, and let wp : Lit(P) — > Z be a weight function. We first 
construct a deterministic parity automaton — (Up, Q, qo, S,p) such that L(A^) =[</>] (see Theorem^. 
This automaton has 2 2 ° ( E ' states and 2°(™) priorities. 

We then derive from a turn-based mean-payoff parity game (G^, w,p') with G^ = (S, sq, E) as 
follows. The initial state sq is equal to (qo, jo) for some jo G /QTo get the turn-based aspect, the set S is 
partionned as Si W ^2 such that Si = {(q, i) \ q € Q, i € Si} and S% = {(q, o) \ q e Q, o € i7o}j^Let 
us describe the edges of G^. For each q e Q, o E Sq and i € Sj, let q' = 6(q,oLii). Then E contains the 
two edges ((q,j), (q,o)) and ((q,o), (q',i)) for all j e Si. We clearly have E C (St x S 2 ) U (S 2 x St). 

7 A converse of this corollary could also be stated but is of no utility in the next results. 

8 Symbol jo can be chosen arbitrarily. 

9 We will limit the set of states to the accessible ones. 




The optimal value for Player 1 is defined as 



vq = sup inf ValG(OutcomeG(Ai, A 2 )). 



Moreover, since A$ is deterministic, we have the nice property that there exists a bijection : S* p — > 
Pref (G,/,) n (SiS2)*S\ defined as follows. For each u = (oqUio)(oi Ui\) . . . (o n Ui n ) G Up, we consider 
in Acf, the run p(u) = q^qi . . . q n +i € Q* such that qk+i = <5(<Zfc, Ofc U ik) for all k. We then define 
0(u) as (qo,jo){qf),oo)(qi,io)(qi,o 1 ){q 2 ,ii) ■ ■ ■ (q n ,o n )(q n+ i,i n ). Clearly, is a bijection and it can be 
extended to a bijection : Up —> Plays(G0). 

The priority function p' : S — > N for G^ is defined from the priority function p of A$ by p'(q, o) = 
p'(q, i) — p(q) for all q E Q, o 6 O and i E I. The weight function w : E — > Z for G^ is defined from the 
weight function wp as follows. For all edges e ending in a state (q, 6) with o E O (resp. (q, i) with i G I), 
we define w(e) = wp(o) (resp. w(e) = wp(i)). Notice that preserves the energy level, the meanpayoff 
value and the parity objective, since for each u G Sp, we have (i) EL(u(n)) = ELq^ (0(u(n))) for all rj^J 
(ii) MP(u) = MP G ^(6>(u)), and (Hi) u\= 4> iff 0(u) satisfies the objective Parity G(/> (p 1 ). 

It is now easy to prove that the two statements of Proposition [8] are equivalent. Suppose that 1. holds. 
Given the winning strategy Xo ■ (So^i)* ^ we af e going to define a winning strategy Ai : 
(S1S2)* Si —> S2 of Player 1 in G^, with the idea that Ai mimics \q thanks to the bijection 0. More 
precisely, for any prefix 7 € {S1S2)* S\ compatible with Ai, we let Ai(7) = (q, o) such that (q,i n ) is 
the last state of 7 and o — Ao(o «oOi«i . . . o n i n ) with (o U io)(oi U ii) . . . (o„ U i n ) = 0~ 1 (j). In this 
way, Ai is winning. Indeed Val^ (Outcomeg^ (Ai , A 2 )) > v for any strategy A 2 of Player 2 because Xo is 
winning and by (ii) and (Hi) above. Moreover Xo is finite-memory iff Ai is finite-memory. 

Suppose now that 2. holds. Given the (finite-memory) winning strategy Ai, we define a (finite-memory) 
winning strategy Xo with the same kind of arguments as done above. We just give the definition of Xo from 
Ai. We let Xo{oak)Oiii . ..o n i n ) = o such that Ai (7) = (q, o) with 7 = 0((o o Ui o )(o 1 Un) . . . (o n Ui n )). 

Suppose now that Ai is finite-memory with size m. Let ~i be a right-congruence on Pref (G^) with 
index m such that Ai(7 • s) = Ai(7' • s) for all 7 ~i 7' and s E Si. To show that Xo is finite-memory, 
we have to define a right-congruence ^o on (^0^1)* with finite index such that Xo(u) = Xo{u') for 
all u ~o u'. Let u = o i . . .o n i n ,u' = OqIq . . .o[i[ E (S ^i)*, let 0((o o U i ) . . . (o„ U i n )) = 
7 • s, <9((oq U Iq) . . . (o[ U ij)) = 7' • s'. Looking at the definition of Xo, we see that ^o has to be defined 
such that u ^o u ' if 7 ~i l' an d s = s '- Moreover ^o has index m ■ \S\\. 

This completes the proofp] □ 

Proof (of Theorem^. By Proposition|8] solving the LTLmp realizability problem is equivalent to checking 
whether Player 1 has a winning strategy in the mean-payoff parity game (G^, w,p) for the given threshold 
v. By Theorem^ this check can be done in time 0(|i?| • |5| d+2 • W). Since G^ has 2 2 ° ( 8 ' states and 
2°( n ) priorities (see Proposition [i}, the LTLmp realizability problem is in 

This proves the 2Exptime-easyness of LTLmp realizability problem. The 2Exptime-hardness of this 
problem is a consequence of the 2Exptime-hardness of LTL realizability problem (see Theorem[T]i. □ 

Proposition|8]and its proof lead to the next two interesting corollaries. The first corollary is immediate. 
The second one asserts that the optimal value can be approached with finite memory strategies. 

Corollary 9 Let (f> be an LTL formula and (G^, w,p) be the associated mean-payoff parity game graph. 
Then v§ = vq^. Moreover, when 7^ —00, one can construct an optimal strategy X\ for Player 1 from 
an optimal strategy Xo for Player O, and conversely. □ 

Corollary 10 Let <j) be an LTL formula. Ifcf> is MP -realizable, then for all e > 0, Player O has an e-optimal 
winning strategy that is finite-memory, that is 

v t f > = sup inf Val(Outcome(Ao, A/)). 

Xq finite-memory 

Proof. Suppose that is MP-realizable. By Corollary [9] — vq^ 7^ —00. Therefore, by Proposition [8] 
and Theorem [7] for each e > 0, Player 1 has a finite-memory winning strategy Ai in the mean-payoff 

10 For this equality, it is useful to recall footnote|3] 

11 Notice that we could have defined a smaller game graph with Si — Q and w((q, o), q') — max{uip(i) | 
8(q, oUi) = q'} for all (q, o) G S2,?' G Si. The current definition simplifies the proof. 



parity G^ = (S, So, E) for the threshold v$ — e. By Proposition|8] from Ai, we can derive a finite-memory 
winning strategy Ao for the LTLmp realizability of cf> for this threshold, which is thus the required finite- 
memory e-optimal winning strategy. □ 



Solution to the LTI_e realizability problem - The same kind of arguments show that the LTI_e realizability 
problem is 2Exptime-complete. Indeed, in Proposition[8] it is enough to use a reduction with the same game 
(G^, w,p), however with energy parity objectives instead of mean-payoff parity objectives. The proof is 
almost identical by taking the same initial credit cq for both the LTI_e realizability of </> and the energy 
objective in G^, and by using Theorem[6]instead of Theorem[7] 

Theorem 11. The LTI_e realizability problem is 2ExpTime-Complete. □ 
The next proposition states that when cf) is E-realizable, then Player O has a finite-memory strategy 



the size of which is related to G^,. This result is stronger than Corollary 10 since it also holds for optimal 
strategies and it gives a bound on the memory size of the winning strategy. 

Proposition 12 Let <j) be an LTL formula over (P,wp) and {G^^w^p) be the associated energy parity 
game. Then <fi is ^.-realizable iff it is E-realizable under finite memory. Moreover Player O has a finite- 
memory winning strategy with a memory size bounded by A - \ S\ 2 ■ d ■ W, where \S\ is the number of states 
of Gfj,, d its number of priorities and W its largest absolute weight. 

Proof. By Proposition [8] where G^ = (S, sq, E) is considered as an energy parity game, we know that 
Player 1 has a winning strategy Ai for the initial credit problem in G^. Moreover, by Theorem[6] we can 
suppose that this strategy has finite-memory M with \M\ < 4 ■ \S\ ■ d ■ W. Finally, one can derive a finite- 
memory winning strategy Ao for the LTI_e realizabilty of <f> with a memory size bounded by |A/| • |5| by 
Proposition [8] □ 



4 Safraless algorithm 

In the previous section, we have proposed an algorithm for solving the LTLmp realizability of a given LTL 
formula 0, which is based on a reduction to the mean-payoff parity game G^. This algorithm has two main 
drawbacks. First, it requires the use of Safra's construction to get a deterministic parity automaton A<f, 
such that L(A(f,) = [0]. This construction is intricate and notoriously difficult to implement efficiently H). 
Second, strategies for the game G^ may require infinite memory (for the threshold vq^, see Theorem|7jl. 
This can also be the case for the LTLmp realizability problem, as illustrated by Example [2] In this section, 
we show how to circumvent these two drawbacks. 



4.1 Finite-memory strategies 

The second drawback (infinite memory strategies) has been already partially solved by Corollary[lO] when 
the threshold given for the LTLMp-realizability is the optimal value v^. Indeed it states the existence of 
finite-memory winning strategies for the thresholds v^, — e, for all e > 0. We here show that we can 
go further by translating the LTLmp realizability problem under finite memory into an LTLe realizability 
problem, and conversely. 

Recall (see Proposition|8]l that testing whether an LTL formula <j) is MP-realizable for a given threshold 
v is equivalent to solve the mean-payoff parity game G^ for the same threshold. Moreover, with the same 
game graph, testing whether <\> is E-realizable is equivalent to solve the energy parity game G^. Let us study 
in more details the finite-memory winning strategies of G^ seen either as a mean-payoff parity game, or as 
an energy parity game, through the next property proved in lfT2ll . 

Proposition 13 (|12|) Let G = (S, so, E) be a game with a priority function p and a weight function w. 
Let v be a threshold and w — v be the weight function such that (w — v){e) — w(e) — v for all edges 
e of G. Let \\ be a finite-memory strategy for Player 1. Then Ai is winning in the mean-payoff parity 
game (G, w,p) with threshold v iff Xi is winning in the energy parity game (G, w — v,p) for some initial 
credit Cq. 



This proposition leads to the next theorem. 



Theorem 14. Let <f) be an LTL formula <f> over (P,wp), and (G<p,w,p} be its associated mean-payoff 
parity game. Then 

— the formula (f> is MP -realizable under finite memory for threshold v iff <p over (P,wp — v) is E- 
realizable 

— if 4> is MP '-realizable under finite memory, Player O has a winning strategy whose memory size is 
bounded by 4 • |5| 2 • d ■ W, where \S\ is the number of states of G^, d is the number of priorities of p 
and W is the largest absolute weight of the weight function w — v. 



Proof. If 4> is MP-realizable under finite-memory for threshold v, then by Propositi on [8| Player 1 has 



finite-memory strategy Ai in the mean-payoff parity game (G^, w,p). By Proposition 13 Ai is a winning 
strategy in the energy parity game (G^, w — v,p), that shows (by Proposition [8]l that <j> is LTLE-realizable 
with weight function wp — v over Lit(P). The converse is proved similarly. 

Finally, given a winning strategy for the LTLE-realizability of <fi with weight function w — v over Lit(P), 



we can suppose by Proposition 12 that it is finite-memory with a memory size bounded by 4 • IS^ 2 • d ■ W, 
where 5, d and W are the parameters of the energy parity game (G^, w — u,p). This concludes the proof. 

□ 

The next corollary follows from Theorem [14] and Corollary [T0| 

Corollary 15 Let (f> be an LTL formula over (P,wp). Then for all e G Q, with e > 0, the following are 
equivalent: 

1. Xo is a finite-memory e-optimal winning strategy for the YJV-Mp-realizability of <p 

2. Xp is a winning strategy for the VJV.^- realizability of <j) with weight function wp — + e over Lit(P). 

It is important to notice that in this corollary, the memory size of the strategy (as described in Theo- 
rem[T4"]i increases as e decreases. Indeed, it depends on the weight function w — + e used by the energy 
parity game G$. We recall that if e = ?, then this weight function must be multiplied by b in a way to have 
integer weights (see footnote|2]). The largest absolute weight W is thus also multiplied by b. 

In the sequel, to avoid strategies with infinite memory when solving the LTLmp realizability problem, 



we will restrict to the LTLmp realizability problem under finite memory. By Theorem 14 it is enough to 
study winning strategies for the LTLe realizability problem (having in mind that the weight function over 
Lit(P) has to be adapted). In the sequel, we only study this problem. 



4.2 Safraless construction 

To avoid the Safra's construction needed to obtain a deterministic parity automaton for the underlying LTL 
formula, we adapt a Safraless construction proposed in [ 18 24] for the LTL synthesis problem, in a way to 
deal with weights and efficiently solve the LTLe synthesis problem. Instead of constructing a mean-payoff 
parity game from a deterministic parity automaton as done in Proposition [8] we will propose a reduction to 
a safety game. In this aim, we need to define the notion of energy automaton. 

Energy automata - Let (P, w) with P a finite set of signals and w a weight function over Lit(P). We are 
going to recall several notions of automata on infinite words over Sp and introduce the related notion of 
energy automata over the weighted alphabet (Sp,w). An automaton A over the alphabet Up is a tuple 
(Up, Q, qo, a, S) such that Q is a finite set of states, go S Q is the initial state, a C Q is a set of final 
states and S : Q x Up —> 2® is a transition function. We say that A is deterministic if Vg G Q ■ V<r G 
E P ■ \6(q,a)\ < 1. It is complete if \fq G Q • Vcr G S P ■ S{q,a) ^ 0. 

A run of A on a word u = a^G\ • ■ ■ G Ep is an infinite sequence of states p = popi • • ■ G Q u such 
that po = qo and Vfc > • Pk+i G 6(pk, Cfc). We denote by Runs_4(u) the set of runs of A on u, and by 
Visit( J o, q) the number of times the state q occurs along the run p. We consider the following acceptance 
conditions: 



Non-deterministic Bilchi: 3p G Runs_4(u) • 3q G a ■ Visit(p, q) = oo 
Universal co-Biichi: Vp G Runs^u) ■ Vg G a ■ Visit(p, q) < oo 

Universal K-co-Biichi: Vp G Runs_4(?i) ■ X^ea Visit(p, q) < K. 

A word u G is accepted by a non-deterministic Bilchi automaton (NB) .A if u satisfies the non- 
deterministic Biichi acceptance condition. We denote by L ab (A) the set of words accepted by A. Similarly 
we have the notion of universal co-Biichi automaton (UCB) A (resp. universal K-co-Biichi automaton 
(UKCB) (A, K)) and the set L ucb (A) (resp. L acbt x(A)) of accepted words. 

We also now introduce the energy automata. Let A be a NB over the alphabet Sp. The related en- 
ergy non-deterministic Biichi automaton (eNB) A w is over the weighted alphabet (Sp,w) and has the 
same structure as A. Given an initial credit c G N, a word u is accepted by A w if (i) u satisfies 
the non-deterministic Biichi acceptance condition and (ii) Vn > • cq + EL(w(n)) > 0. We denote 
by L n b(A w , Co) the set of words accepted by A w with the given initial credit cq. We also have the no- 
tions of energy universal co-Biichi automaton (eUCB) A w and energy universal K-co-Biichi automaton 
(eUKCB) (A W ,K), and the related sets L ucb (A w , c ) and L uch<K (A w , c ). Notice that if K < K' , then 
^ucb.K^ 1 ", c ) C L ucb , K ,(A w ,c ), and that if c < c , then L ucb<K (A w , c ) C L ucb ^ K (A w , c' ). 

The interest of UKCB is that they can be determinized with the subset construction extended with 
counters [18 24|. This construction also holds for eLI/CCB. Intuitively, for all states q of A, we count (up 
to T = K + 1) the maximal number of accepting states which have been visited by runs ending in q. This 
counter is equal to — 1 when no run ends in q. The final states are the subsets in which a state has its counter 
greater than K (accepted runs will avoid them). Formally, let A w be a UKCB ((Sp, w), Q, qo, a, 6) with 
K G N. With K = {-1,0..., K,T} (with T > K), we define det(A w , K) = ((S P ,w), T,F Q ,f3,A) 
where: 



- F = q G Q ^ 



- T = {F | F is a mapping from Q to /C} 

-1 if q ^ q 
(qo G a) otherwise 

- f3 = {F £ F \ 3q, F(q) = T} 

- A(F, a) =qi-^ max{i^(p) ® (q G a) | g G <5(p, tr)} 



In this definition, (q G a) = 1 if q is in a, and otherwise; we use the operator ffi : JC x {0, 1} — > JC such 
that fc © b = -1 if A; = -1, k © 6 = k + b if {k ^ -1, T and k + b < K}, and k © 6 = T in all other 
cases. The automaton det(A w , K) has the next properties: 

Proposition 16 Let K G N awaf („4™, if) foe an eLI/CCB. T/zen Aet(A w , K) is a deterministic and com- 
plete energy automaton such that L uc i,j)(det(A w , K), Cq) = L uc i,_k(A u ' , Cq) for all cq G N. □ 

Energy UKCB and LTI_e realizability - We now go through a series of results in a way to construct a 



safety game from a UCB .4. such that L ucb (A) = [0] (see Theorem 19 1 



Proposition 17 Lef foe an ULformula over (P, w). Then there exists a UCB A such that L uc b(A) = [(/>]. 
Moreover, with the related eUCB A w , the formula <j) is ^.-realizable with the initial credit Cq iff there exists 
a Moore machine M such that L(M.) C L uc b(A w , Co). 

Proof. Let us take the negation ^<\> of (p. It is well known (see for instance ll22l ) that there exists a NB A 
such that L nb (A) = J - ^]; moreover L nb (A) = L ucb (A) as the accepting conditions are dual. In this way 
we get the first part of the proposition. The second part follows from Proposition [12] and the definition of 
Moore machines. □ 

Theorem 18. Let <fi be an LTL formula over (P, wp). Let (G^, w,p) be the associated energy parity game 
with \S\ be its the number of states, d its number of priorities and W its largest absolute weight. Let A be 
a UCB with n states such that L uc b(A) = [</>]. Let K — 4 • n ■ \S\ 2 ■ d ■ W and C = K ■ W. Then 4> is 
^.-realizable iff there exists a Moore machine Ai such that L(M) C L uc b^(A w , C). 



Proof. By Propositions [12] and [T7] is E-realizable for some initial credit Co iff there exists a Moore 
machine M such that L(M) C L ucb (^ ,i ', c ) and |.yW|=4-|5| 2 -d-W. Consider now the product of M 
and A w : in any accessible cycle of this product, there is no accepting state of A w (as shown similarly for 
the qualitative case [ 18 1) and the sum of the weights must be positive. The length of a path reaching such a 
cycle is at most n ■ \M\, therefore one gets L(M) C L ach n .\ M \ (A w , n ■ \M \ ■ W). □ 

Theorem 19. Let <f> be an LTL formula. Then one can construct a safety game in which Player 1 has a 
winning strategy iff (j) is ^.-realizable. 

Proof. Given cj> an LTL formula, let us describe the structure of the announced safety game (G'a KC ,a'). 
The involved constants K and C are those of Theorem 18 By Theorem[5] it is enough to show the statement 



with an energy safety game instead of a safety game. The construction of this energy safety game is very 
similar to the construction of a mean-payoff parity game from a deterministic parity automaton as given 
in the proof of Proposition [8] The main difference is that we will here use a UKCB instead of a parity 
automaton. 



Let 4> be an LTL formula and A be a UCB such that L UC \,{A) = [</>]. By Theorem 18 and Proposition 16 
is E-realizable iff there exists a Moore machine Ai such that L(Ai) C L uc \ > fi(det(A w , K), C). Exactly 
as in Proposition [8] we derive from det(A w , K) = {(Hp, w), T , Fq, f3, A) a turn-based energy safety 
game (G 1 ^ K , w, a') as follows. The construction of the graph and the definition of w are the same, and 
a 1 = T \ f3. Similarly we have a bijection : E* p — > Pref (G'^ K ) n (S 1 S 2 )*Sx that can be extended 
to a bijection : Ep — > Plays(G^ K ). One can verify that for each u € Ep, we have (i) EL(u(n)) = 
E\-G' K (@( u ( n ))) f° r a H n > Q, and (ii) Y^qep Visit(p, q) = for all runs p on u iff 0(u) satisfies 
the objective Safety G / (a'). It follows that u G i U cb o(det(A w , K), C) iff 0(u) satisfies the combined 
objective Safety G , (a 1 ) n PosEnergy G , (C) (*). 

</> ,K ,K 

Suppose that <fi is E-realizable. By Theorem [18] there exists a finite-memory strategy Xo represented 
by a Moore machine Ai as given before. As in the proof of Proposition [8] we use to derive a strategy Ai 
of Player 1 that mimics Xo- As L(A4) C L u a > ,o(det(A w , K), C), by (*), it follows that Ai is winning in 
the energy safety game (GL K , w, a') with the initial credit C. 

Conversely, suppose now that Ai is a winning strategy in (G 1 ^ K , w, a') with the initial credit C. We 
again use to derive a strategy Xo ■ (EoEi)* — > Eo that mimics Ai. As Ai is winning, by (*), we have 
outcome(Ao) Q L UC b t o(det(A w ,K),C). It follows that <f> is E-realizable. □ 

A careful analysis of the complexity of the proposed Safraless procedure shows that it is in 2ExpTime. 



5 Antichains 

In Section|4] we have shown how to reduce the LTLe realizability problem to a safety game. In this section 
we explain how to efficiently and symbolically solve this safety game with antichains. 

5.1 Description of the safety game 



In the proof of Theorem 19 we have shown how to construct a safety game (G'± KC ,a') from an LTL for- 
mula 4> such that <p is E-realizable iff Player 1 has a winning strategy in this game. Let us give the precise 
construction of this game, but more generally for any values K, C € N. Let A = ((Ep, w), Q, qo, a, 6) 
be a UCB such that L ucb (A) = [0], and det(A w , K) = ((E P ,w) , T, F , /3, A) be the related energy 
deterministic automaton. Let C = {_L, 0, 1, . . . , C}. The turned-based safety game (G'i K c ,a') with 
k,c = — Si W 52, s , E) has the following structure: 

_ S 1 = {(F,i,c) \F eF,ieEi,ceC} 

- S 2 = {(F,o,c) | F e 7,o€ E ,ceC} 

- so = (Fo,jo, C) with jo be an arbitrary symbol of Ej, and Fo be the initial state of det(A w , K) 

- For all A(F, o U i) = F' , j e Ej and c € C, the set E contains the edges 

((F,j, c), (F, o, c')) and {{F, o, d), (F 1 , i, c")) 



where d — c © w(o) and c" = d © w(i) 



- a' = (Si W S 2 ) \ {(F, a, c) \ 3q ■ F{q) = T or c = 1} 



Notice that given K\ < K 2 and C\ < C 2 , if Player 1 has a winning strategy in the safety game 
(G^ Ki c ,a'), then he has a winning strategy in the safety game (G^ K2 Ca , a'). The next corollary of 
Theorem [l~9] holds . 

Corollary 20 Lef be an LTL formula, and K,C £ N. If Player 1 has a winning strategy in the safety 
game (G^ ^ c , a'), f/ien is ^.-realizable. □ 

This property indicates that testing whether <f> is E-realizable can be done incrementally by solving the 
family of safety games (G'i K c , a') with increasing values of K, C > until either Player 1 has a winning 
strategy in (G^ K c , a') for some K, C such that < K < K, < G < C, or Player 1 has no winning 
strategy in (G'^' c ,a'). 



5.2 Antichains 

The LTI_e realizability problem can be reduced to a family of safety games (G 1 ^ K c , a') with < K < K, 
< G < C. We here show how to make more efficient the fixpoint algorithm to check whether Player 1 
has a winning strategy in (G'^ K c ,a'),by avoiding to explicitly construct this safety game. This is possible 
because the states of G'^ K c can be partially ordered, and the sets manipulated by the fixpoint algorithm 
can be compactly represented by the antichain of their maximal elements. 

Partial order and antichains - Consider the safety game (G'^ K c , a') with G'^ K c = (S = SiWS^, So, E) 
as defined above. We define the relation < C S x S by 

(F', a, c') r< (F, a, c) iff (£) F' < F and 

(a) c > c 

where F,F' e F, cr e S P , c,c' e C, and F' < F iff F'(q) < F(q) for all q. It is clear that ^ is a 
partial order. Intuitively, if Player 1 can win the safety game from (F, a, c), then he can also win from all 
(F' , a, c') ^ (F, a, c) as (i) it is more difficult to avoid T from F than from F', and (ii) the energy level 
is higher with d than with c. Formally, < is a game simulation relation in the terminology of [2]. The next 
lemma will be useful later. 

Lemma 21 - For all F, F' € F such that F' < FandoUi € S P , we have A(F',oL)i) < A(F,oUi). 

- For all c,c' G C such that d > c and k ^TL,we have d © k > c © k. 

A set L C S is closed for X if V(-F, ct, c) G 5 • V(F', <j, c') ^ (F, cr, c) • (F', cr, c') e L. Let Li and 
L 2 be two closed sets, then Li n L 2 and L x U i 2 are closed. The closure of a set L C S", denoted by 
|L, is the set |L = {(F',a,d) € 5 | 3(F, ct, c) G L • (F', a,d) < (F, a,c)}. Note that if L is closed, 
then IL = L. A set L C S is an antichain if all elements of L are incomparable for ^. Let L C S, we 
denote by [L] the antichain composed of the maximal elements of L. If L is closed then l\L] = L, i.e. 
antichains are compact canonical representations for closed sets. The next proposition indicates how to 
compute antichains with respect to the union and intersection operations 1 1 8 1 . 

Proposition 22 Let L±, L 2 C S be two antichains. Then: 

- \,L\ U LL 2 = i\Li U L 2 ] 

- LLi n J,L 2 = If^i n i 2 ] 

w/iere \L\ n L 2 ] = {(Fi,cr,ci) n (F 2 ,a, c 2 ) | (Fi,cr,ci) G L 1; (F 2 ,cr,c 2 ) € L 2 }, one/ (Fi,cr,ci) n 
(F 2 ,cr,c 2 ) : (q ^ mm(F 1 (q),F 2 (q)),a,uiax(ci,c 2 )). 



Fixpoint algorithm with antichains - We recall the fixpoint algorithm to check whether Player 1 has a 
winning strategy in the safety game (GL K c , a'). This algorithm computes the fixpoint Wini(a') of the 
sequence W = a',W k+1 = W k n{{s£S'i \ 3(s, s') £ E-s' G W k }U{s G S 2 | V(s, s') G E-s' G W k }} 
for all k > 0. Player 1 has a winning strategy iff sq G Wini(a'). Let us show how to efficiently implement 
this algorithm with antichains. 

Given L C S, let us denote by CPrei(L) the set {s G Si | 3(s, s') G E ■ s' G L} and by CPre 2 (L) the 
set {s e S 2 \ V(s, s') £ E ■ s' G L}. We have the next lemma. 

Lemma 23 TfL C S is a closed set, then CPre^L) and CPre 2 (£) are also closed. 



Proof. To get the required property, it is enough to prove that if (s, s') G E and r < s, then there exists 
(r,r') G F withr' ^ s'. 

Let us first suppose that (s, s') G Si x S2- Thus, by definition of G'^ K c , we have s — (F, j, c) and 
s' = (F, o, c © w(o)) for some F £ J 7 , c £ C, j £ £j and o G Z'o. Let r = (G, j, d) ^ (F, j, c), i.e. 
G < F and d > c. We define r' = (G, o, d © w(o)). Then (r, r') G F, G < F and d © w(o) > c © w(o) 



by Lemma 21 It follows that r' -< s' . 



Let us now suppose that (s, s') e Si. We now have s = (F, o, c) and s' = {A(F, oUi),i, c©w(z)). 



Let r = (G, o, (i) ^ (F, o, c), and let us define r' — (^i(G, o U i), i, d © By Lemma 21 we get 



Z\(G, oUi)< Z\(F, o U i) and d © > c © w(i). Therefore r' ^ s'. □ 
Notice that in the safety game (G^ K c , a'), the set a' is closed by definition. Therefore, by the previous 



lemma and Proposition 22 the sets W k computed by the fixpoint algorithm are closed for all k > 0, and 
can thus be compactly represented by their antichain \W k ~\ . Let us show how to manipulate those sets 
efficiently. For this purpose, let us consider in more details the following sets of predecessors for each 
o G So an d i G Sj: 

Pre D (L) = {s G Si | (s, s') G F and s' = (F, o, c) G L, for some F G F, c G C} 
Prej(L) = {s G 5*2 | (s, s') G F and s' = (F, i, c) G i, for some F G F, c G C} 

Notice that CPrei(L) = U oeSo Pre Q (L) and CPre 2 (£) = flig^ Pre, (i). Given (F, o, c) G S 2 and 
(F, i, c) G Si, we define 



f?(F,o,c) 



{(F, i, c') | i G Z 1 /, c' = min{d G C \ d © w(o) > c}} if d exists 
otherwise. 



{(F', o, c') | o G So, F' = max{G G F | A{G, oUi) < F}, 
i?(F, i, c) = <( c' = min{d G C | d © > c}} if c' exists 

otherwise. 

When defining the set J7(F, cr, c), we focus on the worse predecessors with respect to the partial order <. 
In this definition, c' may not exist since the set {d G C \ d © w(a) > c} can be empty. However the 
set {G G F | Zi(G, o U i) < F} always contains G : q H> —1. Moreover, even if ^ is a partial order, 
max{G G F | A(G, oUi) < F} is unique. Indeed if A(G l7 o U i) < F and A(G 2 ,o U i) < F, then 
Z\(G,oUi) < FwithG : max(Gi( 9 ),G 2 (9)). 



Proposition 24 For all F e J 7 , a e S P and ceC, Pre (T (|(F, cr, c)) =|i7(F, c). 

Proof. We only give the proof for a = i G Si since the case cr G Sq is a particular case. We prove the 
two following inclusions. 

1) Prei(i(F,i,c)) C±f2(F,i,c) 

Let s' = (G,i,d) < (F,i,c) and s = (G',o,d') such that {s,s') G F. We have to show that s X 
r?(F, «, c). As (s, s') G F, we have A(G' , o U i) = G < F and d! © = d > c. It follows that 
(G', o, d') < Q(F, i, c) by definition of Q(F, i, c). 



2) |/2(F,i,c) C Pm(l(F,i,c)) 

Let (F', o, d) £ Q(F, i, c) and s = (G', o, d') ^ (F', o, c')- We have to show that there exists (s, s') € 
£ with s' ^ (F, z, c). By definition of f2(F, i, c), we have A(F', oUi) < F and c' © > c. As 
G" < F' and d! > c', it follows that A(G', o U i) < A(F', oUi) < F and d' © w(z') > c' © > c 



by Lemma [21] Therefore with s' = (/i(G', o U <f © we have (s, s') G F and s' X (F, «, c). 

Thus (G', o, d') e Pre 4 (|(F, i, c)). 

□ 



Propositions 22 and 24 indicate how to limit to antichains the computation steps of the fixpoint algo- 
rithm. 

Corollary 25 IfL C S is an antichain, then CPrei(L) = [J oeSo U(Foc)ei 4^(F o, c) one/ CPre2(L) = 

Optimizations - The definition of J7(F, i, c) requires to compute max{G E J- \ A(G, o U i) < F}. This 
computation can be done more efficiently using the operator © : JC x {0, 1} — > K, defined as follows: 
kQb = Tifk = T, kQb = — 1 if fc ^ T, fc — 6 < — 1, and k © b = k — b in all other cases. Indeed, using 
Lemma 4 of ED, one can see that 

max{G e J" | A(G, oUi) < F} = min{F(g') © G a') \ q' e %, o U i)}. 

It is possible to reduce the size of the safety game (G', K c , a') such that Si = {(F, c ) I F G J 7 , c € C} 
instead of {(F, *, c) | F G F, i G £i,c & C}. We refer to the proof of Proposition [8] and footnote 1 1 for 
the justification. 

UL^-synthesis - If Player 1 has a winning strategy in the safety game (G^ K c , a'), that is, the given 
formula <f> is E-realizable, then it is easy to contruct a Moore machine Ai that realizes it. As described in 
1 18 1, M. can be constructed from the antichain [Wini(a')] computed by the fixpoint algorithm, with the 



advantage of having a small size bounded by the size of [Wini(a')] (see Section 7.2 1 



Forward algorithm - The proposed fixpoint algorithm works in a backward manner. In [18 1, the authors 
propose a variant of the OTFUR algorithm of [ 1 1 that computes a winning strategy for Player 1 (if it 
exists) in a forward fashion, starting from the initial state of the safety game. This forward algorithm can 
be adapted to the safety game (G'^ K c , a'). As for the backward fixpoint algorithm, it is not necessary to 
construct the game explicitly and antichains can again be used 1 18]. Compared to the backward algorithm, 
the forward algorithm has the following advantage: it only computes winning states (F, &, c) (for Player 1) 
which are reachable from the initial state. Nevertheless, it computes a single winning strategy if it exists, 
whereas the backward algorithm computes a fixpoint from which we can easily enumerate the set of all 
winning strategies (in the safety game). 



6 Extension to multi-dimensional weights 

Multi-dimensional LTLmp and LTI_e realizability problems - The LTLmp and LTI_e realizability prob- 
lems can be naturally extended to multi-dimensional weights. Given F, we define a weight function 
w : Lit(F) — > Z m , for some dimension m > 1. The concepts of energy level EL, mean-payoff value 
MP, and value Val are defined similarly. Given an LTL formula cf> over (F, w) and a threshold v G Q m , the 
multi-dimensional LTLmp realizability problem {under finite memory) asks to decide whether there exists 
a (finite-memory) strategy \q of Player O such that Val(Outcome(Ao, A/)) > v against all strategies 
\j of Player The multi-dimensional LTLe realizability problem asks to decide whether there exists 
a strategy \o of Player O and an initial credit Co G N m such that for all strategies \j of Player /, ( i) 
u = 0utcome(A o , A/) |= 0, (ii) Vn > 0, c + EL(«(n)) > (0, . . . , 0). 

12 With a > b, we mean a% > bi for alii, 1 < i < m. 



Computational complexity - The 2ExpTime-completeness of the LTI_mp and LTI_e realizability problems 
have been stated in Theorem [2] and [TT] in one dimension. In the multi-dimensional case, we have the next 
result. 



Theorem 26. The multi-dimensional LTI_mp realizability problem under finite memory and tlie multi- 
dimensional LTI_e realizability problem are in co-N2ExpTime. 

Before giving the proof, we need to introduce multi-mean-payoff games and multi-energy games and 



some related results. Those games are defined as in Section 3.2 with the only difference that the weight 
function w assigns an m-tuple of weights to each edge of the underlying graph. The next proposition 
extends Proposition[l3]to multiple dimensions. 

Proposition 27 (| 13 1) Let (G,w,m) be a game with w : E — > Z m . Let v 6 Q m be a threshold and 
Ai be a finite-memory strategy for Player 1. Then Ai is winning in the multi-mean-payoff parity game 
(G, w,p) with threshold v iff Ai is winning in the multi-energy parity game (G, w — v) for some initial 
credit c G N m . 

In 05 1, the authors study the initial credit problem for multi-energy parity games (G, w,p, m). They 
introduce the notion of self-covering tre^j associated with the game, and show that its depth is bounded 
by a constant I = 2 (/l_1) |s| • (W ■ \S\ + l) c ™ 2 where \S\ is the number of states of G, W is its largest 
absolute weight, h is the highest number of outgoing edges on any state of S, m is the dimension, and c is 
a constant independent of the game. The next proposition states that multi-energy parity games reduce to 
multi-energy games. 

Proposition 28 (|15|) Let (G, w,p, m) be a multi-energy parity game with a priority function p : S — > 
{0, 1, . . . , 2 • d} and a self-covering tree of depth bounded by I. Then one can construct a multi-energy 
game (G, w', m!) with m' — m + d dimensions and a largest absolute weight W' bounded by I, such that 
a strategy is winning for Player 1 in (G, w, p, m) iff it is winning in (G, w' , m'}. 

The next results are taken from [13] and |[T5l . 

Theorem 29 f lBHSl ). 

— The initial credit problem for a multi-energy game is coNT '-Complete. 

— If Player 1 has a winning strategy for the initial credit problem in a multi-energy parity game, then he 
can win with a finite -memory strategy of at most exponential size. 

— Let (G, w, m) be a multi-energy game with a self-covering tree of depth bounded by I. If Player 1 has a 
winning strategy for the initial credit problem, then he can win with an initial credit (G, . . . , G) € N m 
such that C = 2-1- 



Proof (of Theorem 26 1. We proceed as in the proof of the theorems[2]and[TT]by reducing the LTI_mp (resp. 



LTI_e) realizability of formula <f> to a multi-mean-payoff (resp. multi-energy) parity game (G^,,w,p,m). 



By Proposition 27 it is enough to study the multi-dimensional LTI_e realizability problem. We reduce 
the multi-energy parity game (G^, w,p, m) to a multi-energy game (G^, w' , m') as described in Propo- 
sition 28 Careful computations show that the multi-dimensional LTI_e realizability problem is in co- 
N2ExpTime, by using Theorems [3] and 29 □ 



Theorem 26 states the complexity of the LTLmp realizability problem under finite memory. Notice that 
it is reasonable to ask for finite-memory (instead of any) winning strategies. Indeed, the previous proof 
indicates a reduction to a multi-mean-payoff game; winning strategies for Player 1 in such games require 
infinite memory in general; however, if Player 1 has a winning strategy for threshold v, then he has a 
finite-memory one for threshold v — e for all e > 



13 See 1 15 1 for the definition and results. 

14 This result is extended in 1 15] to multi-energy parity games thanks to Proposition 28 



Safraless algorithm - As done in one dimension, we can similarly show that the multi-dimensional LTI_e- 
realizability problem can be reduced to a safety game for which there exist symbolic antichain-based algo- 
rithms. The multi-dimensional LTI_Mp-realizability problem under finite memory can be solved similarly 
thanks to Proposition[27| 

Theorem 30. Let <f> be an LTL formula. Then one can construct a safety game in which Player 1 has a 
winning strategy iff (j) is E-realizable. 



Proof. The proof is very similar to the one of Theorem 19 We only indicate the differences. 



First, let (G^,u>,p) be the multi-energy parity game associated with <j) as described in the proof of 



Theorem [26] By Theorem 29 and Proposition 12 adapted to this multi-dimensional game, we know that 
if </> is E-realizable, then Player O has a finite-memory strategy with a memory size M that is at most 
exponential in the size of the game. 

Second, we need to work with multi-energy automata over a weighted alphabet (Up, w), such that w 
is a function over Lit(P) that assigns m-tuples of weights instead of a single weight. 

Third, from a UCB A with n states such that L uc b(*4) = [0], we construct, similarly as in the one- 
dimensional case, a safety game (G^ K , c C y a') whose positions store a counter for each state of A and 
an energy level for each dimension. The constants K and C are defined differently from the one-dimensional 



case: K = n ■ M, and C is equal to the constant C of Theorem 29 □ 



Antichain-based algorithms - Similarly to the one-dimensional case, testing whether an LTL formula (j) is 
E-realizable can be done incrementally by solving a family of safety games related to the safety game given 
in Theorem [30] These games can be symbolically solved by the antichain-based backward and forward 
algorithms described in Section [5] 



7 Experiments 

In the previous sections, in one or several dimensions, we have shown how to reduce the LTLmp under finite 
memory and LTLe realizability problems to a safety games, and how to derive symbolic antichain-based 
algorithms. This approach has been implemented in our tool Acacia+. We briefly present this tool and give 
some experimental results. 



7.1 Tool Acacia+ 

In [4|, we present Acacia+, a tool for LTL synthesis using antichain-based algorithms. The main advantage 
of this tool, in comparison with other LTL synthesis tools, is to generate compact strategies that are easily 
usable in practice. This aspect can be very useful in many application scenarios like synthesis of control 
code from high-level LTL specifications, debugging of unrealizable LTL specifications by inspecting com- 
pact counter strategies, and generation of small deterministic Biichi or parity automata from LTL formulas 
(when they exist) J4). 

Acacia+ is now extended to the synthesis from LTL specifications with mean-payoff objectives in the 
multi-dimensional setting. As explained in the previous sections, it solves incrementally a family of safety 
games, depending on some values K and C, to test whether a given specification cf> is M P-realizable under 
finite memory. The tool takes as input an LTL formula cj) with a partition of its set P of atomic signals, a 
weight function w : Lit(P) h> Z m , a threshold value v £ Q m , and two bounds K £ 7L and C £ Z m 
(the user can specify additional parameters to define the incremental policy). It then searches for a finite- 
memory winning strategy for Player O, within the bounds of K and C, and outputs a Moore machine if 
such a strategy exists. The last version of Acacia+ can be downloaded at http : / /lit 2 . ulb . ac . be/| 
|acaciaplus/| and it can also be used directly online via a web interface. Moreover, many benchmarks 
and results tables are available on the website. 



7.2 Experiments 



In this section, we present some experiments. They have been done on a Linux platform with a 3.2GHz 
CPU (Intel Core i7) and 12GB of memory. 



Approaching the optimal value - Let us come back to Example |2j where we have given a specification 
<f> together with a 1 -dimensional mean-payoff objective. For the optimal value v^, we have shown that 
no finite-memory strategy exists, but finite-memory e-optimal strategies exist for all e > 0. In Table [T] 
we present the experiments done for some values of v$ — e. The output strategies for the system behave 

Table 1. Acacia+ on the specification of Example[2]with increasing threshold values. The column v gives the threshold 
values, K and C the minimum values required to obtain a winning strategy, \M\ the size of the Moore machine 
representing the strategy and time the execution time (in seconds). Note that the execution times are given for the 
forward algorithm applied to the safety game with values K and C (and not with smaller ones). 



V 


K 


C 


\M\ 


time (s) 


-1.2 


4 


7 


5 


0.01 


-1.02 


49 


149 


50 


0.05 


-1.002 


499 


1499 


500 


0.34 


-1.001 


999 


2999 


1000 


0.89 


-1.0002 


4999 


14999 


5000 


15.49 


-1.0001 


9999 


29999 


10000 


59.24 


-1.00005 


19999 


99999 


20000 


373 



as follows: grant the second client {\M.\ — 1) times, then grant once client 1, and start over. Thus, the 
system almost always plays g 2 w\, except every \M\ steps where he has to play g\w 2 - Obviously, these 
strategies are the smallest ones that ensure the corresponding threshold values. They can also be compactly 
represented by a two-state automaton with a counter that counts up to \M.\. With v = —1.001 of Table [I] 
let us emphasize the interest of using antichains in our algorithms. The underlying state space manipulated 
by our symbolic algorithm is huge: since K = 999, C = 2999 and the number of automata states is 8, the 
number of states is around 10 27 . However the fixpoint computed backwardly is represented by an antichain 
of size 2004 only. 

No unsollicited grants - The major drawback of the strategies presented in Table[T]is that many unsolicited 
grants might be sent since the server grants the resource access to the clients in a round-robin fashion (with 
a longer access for client 2 than for client 1) without taking care of actual requests made by the clients. It 
is possible to express in LTL the fact that no unsollicited grants occur, but it is cumbersome. Alternatively, 
the LTL-mp specification can be easily rewritten with a multi-dimensional mean-payoff objective to avoid 
those unsollicited grants, as shown in Example [3] 

Example 3. We consider the client-server system of Examples [T] and [2] with the additional requirement 
that the server does not send unsollicited grants. This property can be naturally expressed by keeping the 
inital LTL specification and proposing a multi-dimensional mean-payoff objective as follows. A new 
dimension is added by client, such that a request (resp. grant) signal of client i has a reward (resp. cost) of 
1 on his new dimension. More precisely, let <fi and P as in Example [2] we define w : Lit(P) — > Z 3 as the 
weight function such that w(n) = (0, 1, 0), w(r 2 ) = (0, 0, 1), w(gx) = (0, -1, 0), w(g 2 ) = (0,0,-2), 
w( Wl ) = (-1, 0, 0), w{w 2 ) = (-2, 0, 0) and w(l) = (0, 0, 0), V/ e Lit(P) \ {r u r 2 , g 1 ,g 2 ,w u w 2 }. 

For threshold v = (—1, 0, 0), there is no hope to have a finite-memory strategy (see Example [2]). For 
threshold v = ( — 1.2, 0, 0) and values K = 4, C = (7, 1, 1), Acacia+ outputs a finite-memory strategy 
computed by the backward algorithm, as depicted in Figure [T] In this figure, the strategy is represented by 
a transition system where the red state is the initial state, and the transitions are labeled with symbols o\i 
with o E So and i € Uj. Notice that the labels of all outgoing transitions of a state share the same o part 
(since we deal with a strategy). This transition system can be seen as a Moore machine (Ai, mo, au, ajy) 
with the same state space (the set M of memory states), and such that for each transition from m to to' 
labeled by o U i, we have ajj (to, i) = to' and a n (to) = o. We can verify that no unsollicited grant is done 
if the server plays according to this strategy. Moreover, this is the smallest strategy to ensure a threshold 
of (—1.2, 0, 0) against the most demanding behavior of the clients, i.e. when they both make requests all 
the time (see states 3 to 7), and that avoid unsollicited grants against any other behaviors of the clients (see 
states to 2). 




Fig. 1. Strategy output by Acacia+ for the specification of Example[3] threshold v — (—1.2, 0, 0) and values K = 4, 
C — (7, 1, 1), using the backward algorithm 



From Example [3] we derive a benchmark of multi-dimensional examples parameterized by the number 
of clients making requests to the server. Some experimental results of Acacia+ on this benchmark are 
synthetized in Table [2] 

Table 2. Acacia+ on the Shared Resource Arbiter benchmark parameterized by the number of clients, with the forward 
algorithm. The column c gives the number of clients, v the threshold, K (resp. C) the minimum value (resp. vector) 
required to obtain a winning strategy, \M\ the size of the Moore machine representing the strategy and time the total 
execution time (in seconds). 



c 


V 


K 


C 


\M\ 


time (s) 


2 


(-1.2,0,0) 


4 


(7,1,1) 


11 


0.02 


3 


(-2.2,0,0,0) 


9 


(19,1,1,1) 


27 


0.12 


4 


(-3.2,0,0,0,0) 


14 


(12,1,1,1,1) 


65 


1.81 


5 


(-4.2,0,0,0,0,0) 


19 


(29,1,1,1,1,1) 


240 


59 


6 


(-5.2,0,0,0,0,0,0) 


24 


(17,1,1,1,1,1,1) 


1716 


4207 



Approching the Pareto curve - As last experiment, we consider the 2-client LTI_mp specification of Exam- 
ple [3] where we split the first dimension of the weight function into two dimensions, such that w{w\) = 
(—1,0,0,0) and w(w2) — (0,-2,0,0). With this new specification, since we have several dimensions, 
there might be several optimal values for the pairwise order, corresponding to trade-offs between the two 
objectives that are (i) to quickly grant client 1 and (ii) to quickly grant client 2. In this experiment, we are 
interested in approaching, by hand, the Pareto curve, which consists of all those optimal values, i.e. to find 
finite-memory strategies that are incomparable w.r.t. the ensured thresholds, these thresholds being as large 
as possible. We give some such thresholds in Table [3] along with minimum K and C and strategies size. It 
is difficult to automatize the construction of the Pareto curve. Indeed, Acacia+ cannot test (in reasonable 
time) whether a formula is MP-unrealizable for a given threshold, since it has to reach the huge theoretical 
bound on K and C. This raises two interesting questions that we let as future work: how to decide effi- 
ciently that a formula is MP-unrealizable for a given threshold, and how to compute points of the Pareto 
curve efficiently. 

Table 3. Acacia+ to approach Pareto values. The column v gives the threshold, relatively close to the Pareto curve, K 
(resp. C) the minimum value (resp. vector) required to obtain a winning strategy, \M\ the size of the Moore machine 
representing the strategy. 



V 


K 


C 


\M\ 


(-0.001,-2,0,0) 


999 


(1999,1,1,1) 


2001 


(-0.15,-1.7,0,0) 


55 


(41,55,1,1) 


42 


(-0.25,-1.5,0,0) 


3 


(7,9,1,1) 


9 


(-0.5,-1,0,0) 


1 


(3,3,1,1) 


5 


(-0.75,-0.5,0,0) 


3 


(9,7,1,1) 


9 


(-0.85,-0.3,0,0) 


42 


(55,41,1,1) 


9 


(-1,-0.01,0,0) 


199 


(1,399,1,1) 


401 



References 

1. C. S. Althoff, W. Thomas, and N. Wallmeier. Observations on determinization of Biichi automata. Theor. Comput. 
ScL, 363(2):224-233, 2006. 

2. R. Alur, T. A. Henzinger, O. Kupferman, and M. Y. Vardi. Alternating refinement relations. In D. Sangiorgi and 
R. de Simone, editors, CONCUR, volume 1466 of Lecture Notes in Computer Science, pages 163-178. Springer, 
1998. 



3. R. Bloem, K. Chatterjee, T. A. Henzinger, and B. Jobstmann. Better quality in synthesis through quantitative 
objectives. In Bouajjani and Maler |6|, pages 140-156. 

4. A. Bohy, V. Bruyere, E. Filiot, N. Jin, and J.-F. Raskin. Acacia+, a tool for LTL synthesis. In P. Madhusudan and 
S. A. Seshia, editors, CAV, volume 7358 of Lecture Notes in Computer Science, pages 652-657. Springer, 2012. 

5. U. Boker, K. Chatterjee, T. A. Henzinger, and O. Kupferman. Temporal specifications with accumulative values. 
In LICS, pages 43-52. IEEE Computer Society, 201 1. 

6. A. Bouajjani and O. Maler, editors. Computer Aided Verification, 21st International Conference, CAV 2009, 
Grenoble, France, June 26 - July 2, 2009. Proceedings, volume 5643 of Lecture Notes in Computer Science. 
Springer, 2009. 

7. P. Bouyer, U. Fahrenberg, K. G. Larsen, N. Markey, and J. Srba. Infinite runs in weighted timed automata with 
energy constraints. In F. Cassez and C. Jard, editors, FORMATS, volume 5215 of Lecture Notes in Computer 
Science, pages 33-47. Springer, 2008. 

8. P. Bouyer, N. Markey, J. Olschewski, and M. Ummels. Measuring permissiveness in parity games: Mean-payoff 
parity games revisited. In T. Bultan and P.-A. Hsiung, editors, ATVA, volume 6996 of Lecture Notes in Computer 
Science, pages 135-149. Springer, 2011. 

9. L. Brim, J. Chaloupka, L. Doyen, R. Gentilini, and J.-F. Raskin. Faster algorithms for mean-payoff games. Formal 
Methods in System Design, 38(2):97-l 18, 201 1. 

10. F. Cassez, A. David, E. Fleury, K. G. Larsen, and D. Lime. Efficient on-the-fly algorithms for the analysis of timed 
games. In M. Abadi and L. de Alfaro, editors, CONCUR, volume 3653 of Lecture Notes in Computer Science, 
pages 66-80. Springer, 2005. 

11. A. Chakrabarti, L. de Alfaro, T. A. Henzinger, and M. Stoelinga. Resource interfaces. In R. Alur and I. Lee, 
editors, EMSOFT, volume 2855 of Lecture Notes in Computer Science, pages 1 17-133. Springer, 2003. 

12. K. Chatterjee and L. Doyen. Energy parity games. In S. Abramsky, C. Gavoille, C. Kirchner, F. Meyer auf der 
Heide, and P. G. Spirakis, editors, 1CALP (2), volume 6199 of Lecture Notes in Computer Science, pages 599-610. 
Springer, 2010. 

13. K. Chatterjee, L. Doyen, T. A. Henzinger, and J.-F. Raskin. Generalized mean-payoff and energy games. In 
K. Lodaya and M. Mahajan, editors, FSTTCS, volume 8 of LIPlcs, pages 505-516. Schloss Dagstuhl - Leibniz- 
Zentrum fuer Informatik, 2010. 

14. K. Chatterjee, T. A. Henzinger, and M. Jurdzinski. Mean-payoff parity games. In LICS, pages 178-187. IEEE 
Computer Society, 2005. 

15. K. Chatterjee, M. Randour, and J.-F. Raskin. Strategy synthesis for multi-dimensional quantitative objectives. 
In M. Koutny and I. Ulidowski, editors, CONCUR, volume 7454 of Lecture Notes in Computer Science, pages 
115-131. Springer, 2012. 

16. R. Ehlers. Symbolic bounded synthesis. In T. Touili, B. Cook, and P. Jackson, editors, CAV, volume 6174 of 
Lecture Notes in Computer Science, pages 365-379. Springer, 2010. 

17. E. Filiot, N. Jin, and J.-F. Raskin. An antichain algorithm for ltl realizability. In Bouajjani and Maler |6|, pages 
263-277. 

18. E. Filiot, N. Jin, and J.-F. Raskin. Antichains and compositional algorithms for LTL synthesis. Formal Methods 
in System Design, 39(3):26 1-296, 2011. 

19. E. Gradel, W. Thomas, andT. Wilke. Automata, Logics, and Infinite Games: A Guide to Current Research, volume 
2500 of Lecture Notes in Computer Science. Springer- Verlag, 2002. 

20. T. A. Henzinger. Quantitative reactive models. In R. B. France, J. Kazmeier, R. Breu, and C. Atkinson, editors, 
MoDELS, volume 7590 of Lecture Notes in Computer Science, pages 1-2. Springer, 2012. 

21. B. Jobstmann and R. Bloem. Optimizations for LTL synthesis. In Proceedings of the 6th International Conference 
on Formal Methods in Computer Aided Design (FMCAD), pages 1 17-124. IEEE Computer Society, 2006. 

22. O. Kupferman and M. Y. Vardi. Safraless decision procedures. In FOCS, pages 531-542. IEEE Computer Society, 
2005. 

23. A. Pnueli and R. Rosner. On the synthesis of a reactive module. In POPL, pages 179-190. ACM Press, 1989. 

24. S. Schewe and B. Finkbeiner. Bounded synthesis. In K. S. Namjoshi, T. Yoneda, T. Higashino, and Y. Okamura, 
editors, ATVA, volume 4762 of Lecture Notes in Computer Science, pages 474^188. Springer, 2007. 

25. Y. Velner, K. Chatterjee, L. Doyen, T. A. Henzinger, A. Rabinovich, and J.-F. Raskin. The complexity of multi- 
mean-payoff and multi-energy games. CoRR, abs/1 209.3234, 2012. 

26. U. Zwick and M. Paterson. The complexity of mean payoff games on graphs. Theor. Comput. Sci., 158(1&2):343- 
359, 1996. 



